xmrig_linux | e3a24865935df812072d57a87e460d5cbe1f5f45d6fb0f470f3182f55669e6bb

Analysis

max time kernel
155s
max time network
153s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20/03/2024, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start.sh
Size

573B
MD5

badbf4901e27cdee108f6ea8ba30837e
SHA1

e8f20bcae4ce68b777f43718b12125aa0cfdf6d8
SHA256

e3a24865935df812072d57a87e460d5cbe1f5f45d6fb0f470f3182f55669e6bb
SHA512

6a5e729fdad612340e1e2d4b347ada7c372db6c015b90fa126b50c74b6d356c619c3e9243b0b83fa1fc0eaf818b571afcd75fd9af34303c411c0d755353d5831

Score

10^/10

xmrig_linux antivm miner rootkit

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/xmrig-6.21.1/xmrig	1586	xmrig

Loads a kernel module 1 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

ioc	pid	Process
/lib/modules/4.15.0-213-generic/kernel/arch/x86/kernel/msr.ko	1593	modprobe

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	xmrig

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/product_name	xmrig

Reads CPU attributes 1 TTPs 45 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/topology/cluster_cpus	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/number_of_sets	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/topology/thread_siblings	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/base_frequency	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/level	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/online	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/type	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/level	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cpu_capacity	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_siblings	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/level	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/topology/physical_package_id	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/possible	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_cpus	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/level	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/type	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/type	xmrig
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map	xmrig

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/product_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/board_name	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	xmrig
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	xmrig

Enumerates kernel/hardware configuration 1 TTPs 24 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	Process not Found
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	xmrig
File opened for reading	/sys/devices/system/node/node0/meminfo	xmrig
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	xmrig
File opened for reading	/sys/bus/dax/devices	xmrig
File opened for reading	/sys/devices/system/node/node0/access1/initiators	xmrig
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_latency	xmrig
File opened for reading	/sys/module/msr/initstate	modprobe
File opened for reading	/sys/devices/system/cpu	xmrig
File opened for reading	/sys/devices/system/node/node0/hugepages	xmrig
File opened for reading	/sys/devices/system/node/node0/access0/initiators	xmrig
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_latency	xmrig
File opened for reading	/sys/devices/virtual/dmi/id	xmrig
File opened for reading	/sys/firmware/dmi/tables/DMI	xmrig
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	Process not Found
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	xmrig
File opened for reading	/sys/kernel/mm/hugepages	xmrig
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	xmrig
File opened for reading	/sys/devices/system/node/online	xmrig
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	xmrig
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	xmrig
File opened for reading	/sys/devices/system/node/node0/cpumap	xmrig
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_bandwidth	xmrig
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_bandwidth	xmrig

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/vm/nr_hugepages	xmrig
File opened for reading	/proc/cmdline	modprobe
File opened for reading	/proc/meminfo	Process not Found
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/mounts	xmrig
File opened for reading	/proc/self/cpuset	xmrig
File opened for reading	/proc/meminfo	xmrig
File opened for reading	/proc/driver/nvidia/gpus	xmrig

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/xmrig-6.21.1/config.json	tar
File opened for modification	/tmp/xmrig-6.21.1-linux-x64.tar.gz	wget
File opened for modification	/tmp/xmrig-6.21.1/xmrig	tar
File opened for modification	/tmp/xmrig-6.21.1/SHA256SUMS	tar

/tmp/start.sh
/tmp/start.sh
1⤵
PID:1560
- /usr/bin/wget
  wget https://github.com/xmrig/xmrig/releases/download/v6.21.1/xmrig-6.21.1-linux-x64.tar.gz -O xmrig-6.21.1-linux-x64.tar.gz
  2⤵
  - Writes file to tmp directory
  PID:1561
- /bin/tar
  tar -xvf xmrig-6.21.1-linux-x64.tar.gz
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1584
- - /usr/local/sbin/gzip
    gzip -d
    3⤵
    PID:1585
- - /usr/local/bin/gzip
    gzip -d
    3⤵
    PID:1585
- - /usr/sbin/gzip
    gzip -d
    3⤵
    PID:1585
- - /usr/bin/gzip
    gzip -d
    3⤵
    PID:1585
- - /sbin/gzip
    gzip -d
    3⤵
    PID:1585
- - /bin/gzip
    gzip -d
    3⤵
    PID:1585
- /tmp/xmrig-6.21.1/xmrig
  2⤵
  - Executes dropped EXE
  - Checks CPU configuration
  - Checks hardware identifiers (DMI)
  - Reads CPU attributes
  - Reads hardware information
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:1586
- - /bin/sh
    sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"
    3⤵
    PID:1592
  - - /sbin/modprobe
      /sbin/modprobe msr "allow_writes=on"
      4⤵
      Loads a kernel module
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:1593

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/xmrig-6.21.1-linux-x64.tar.gz

Filesize
590KB

MD5
73828f2e452662a4b805085dc12ac761

SHA1
155ba44ff06c9b391ee45a1a615a7a2d931bc4ff

SHA256
cc8061989e76922907c49c7e70444be10e662ca16df0d5c26b8b017b48c028a0

SHA512
4bac1bff05deb82982788cbe7967ef7a89203c55eb00130bfe079bc286eec04da6f0654703f37e988d461c03fca1485268bd8f098006037c80e42c9062d2d75b

Download Submit
/tmp/xmrig-6.21.1/SHA256SUMS

Filesize
150B

MD5
0eeaf66a6ba6b6934ffefce538342572

SHA1
8f28c8a7345c85b2ae78924828aa16e1b6be7b97

SHA256
aa89fb25473e544be6a5cbe6a6106e220fc6cd4b935fe76bc73a19b3b6daed60

SHA512
5a8e8a77e97f2b221bf1a9097a2f19a2c3c0ed376d7e2561a41c6d74203ddbe9d0482a818d17555da44088e511b3724dd41dd7cc91e3ebaadab9c176b1a7b57d

Download Submit
/tmp/xmrig-6.21.1/config.json

Filesize
2KB

MD5
66f38c96a4901e7b345787c447842b3e

SHA1
2aa9b4d1bd2edd5d81bd9725e9318edaee67531f

SHA256
2b03943244871ca75e44513e4d20470b8f3e0f209d185395de82b447022437ec

SHA512
71757fad29d6d2a257362ed28cde9f249cc8a14e646dee666c9029ea97c72de689cdf8ed5cf0365195a6a6831fe77d82efe5e2fa555c6cc5078f1f29ae8dd68f

Download Submit
/tmp/xmrig-6.21.1/xmrig

Filesize
8.5MB

MD5
acd5703f400e766de20d821496dff1a3

SHA1
d297c2a25a4b3b2cbb868722b5a2369b73a98295

SHA256
921e7f09674208e7de08b1988f889c755a9118d54cccd4b76f373a48df5c0847

SHA512
c74cc3d43de65e757927e668f9889f01e5cdf59c0a6b5385f33a8bbafd0f59722efb5e1437340fe754131d5dee9a6770b00e21a4fc21443de0063bd7e1d8bbcb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads